DKIM DomainKeys Policy: Understanding the Difference Between o=~ and o=- in Email Authentication


2 views

When implementing DKIM (DomainKeys Identified Mail) for email authentication, one common point of confusion is the policy record's o= tag. This parameter determines how receiving mail servers should handle emails that fail DKIM verification.

The o=~ and o=- values in your DKIM policy record represent different levels of strictness:

  • o=~ (tilde): Indicates a relaxed policy where emails failing verification might still be accepted but marked
  • o=- (minus): Represents a strict policy where emails failing verification should be rejected

In your case, switching from o=~ (generated by the DKIM wizard) to o=- (from MediaTemple's Plesk) is actually a good practice for security:

_domainkey.example.com IN TXT "v=DKIM1; p=; o=-"

For proper testing, you can use these methods:

  1. Command line verification: 
    dig TXT default._domainkey.example.com
dig TXT _domainkey.example.com
  2. Python verification script: 
    import dkim
import dns.resolver

def verify_dkim(email_message):
    try:
        dkim.verify(email_message)
        return True
    except:
        return False

If you're not receiving test emails, check these potential problems:

  • DNS propagation delay (wait 24-48 hours)
  • Incorrect selector name in your DNS record
  • Syntax errors in your TXT record

For optimal email deliverability:

; Recommended DKIM record
default._domainkey IN TXT (
  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."
  "o=-; t=y")

Remember to include the t=y flag during testing mode, which tells receivers you're testing your DKIM setup.

When implementing DomainKeys Identified Mail (DKIM), the policy flag (o=) determines how receivers should treat emails that fail verification. The two main variants you'll encounter are:

_domainkey.example.com IN TXT "o=~"  # Testing mode
_domainkey.example.com IN TXT "o=-"  # Enforcing mode

The tilde (~) indicates "testing mode" where:

  • Receivers will accept mail even if verification fails
  • Validation results are typically recorded in headers
  • Recommended for initial deployment phases

The hyphen (-) means "enforcing mode" where:

  • Receivers may reject or quarantine failed messages
  • Used when you're confident in your email infrastructure
  • Gmail and other providers take this as a strong signal

Here's how to properly set up both records in a BIND zone file:

; DKIM selector record
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

; DKIM policy record  
_domainkey IN TXT "t=y; o=~;"

Use these dig commands to verify your records:

dig +short TXT default._domainkey.example.com
dig +short TXT _domainkey.example.com

For comprehensive testing, these tools are invaluable:

  • DKIM Core Tools (http://dkimcore.org/tools/)
  • MXToolbox DKIM Checker
  • Google's Postmaster Tools

When transitioning from testing to enforcement:

  1. Monitor your testing-mode results for at least 2 weeks
  2. Check authentication reports in Google Postmaster Tools
  3. Gradually shift to o=- after ensuring >95% success rate

Remember that Gmail specifically recommends using o=- once you're confident in your setup, as they may treat emails from domains with lax policies differently.